On Adobe, Qualys, CVE and Math

Over the weekend Jericho published on the OSVDB blog an analysis of annual vulnerability numbers that Elinor Mills from CNET had written about on Thursday in her InSecurity Complex blog. Some of the numbers originated from Qualys and we were not specific enough on the exact scope. As Jericho speculated our numbers were indeed for a more narrow set of products – not for all of Adobe and Microsoft software, but specifically for Adobe Reader and Microsoft Office. Elinor has since updated the article.

The overall point that we are trying to make remains the same – patching such applications is being neglected by most IT admins and attackers have increasingly shifted their attention to exploiting vulnerabilities in them. On Friday Brad Arkin from Adobe stated that Adobe Reader as a cross operating system application has a bigger installed base than Microsoft Windows, which makes it a very attractive target to attack.

What is your opinion on why the number of vulnerabilities found in Adobe Reader have gone up in 2009? Did attackers first notice that there was a potential, started writing exploits and then security researchers followed up or was it the other way around?